Forget About Backdoors, This Is The Data WhatsApp Actually Hands To Cops

Security
I cover crime, privacy and security in digital and physical forms.

WhatsApp won't hand users private messages over to cops, but it has sent chunks of other revealing data to federal agents, court filings show. (Photo by Carl Court/Getty Images)

When the Guardian published a report on an alleged WhatsApp backdoor last week, it elicited both fear of state surveillance and ire from cryptography experts. On Friday, that second group labelled the story needless scaremongering in a letter to the British paper demanding a retraction. Whatever side you stood, there was the begging, unanswered question: just what kind of access does WhatsApp actually grant to the government?

According to court filings reviewed by your reporter over recent months, there's little indication WhatsApp has ever handed message content to the cops. But it has given plenty of other revealing data to the FBI on multiple occasions. Mostly it's metadata showing which numbers contacted which over WhatsApp, when, and for how long, as well as the IP addresses and phone identifiers associated with the subpoenaed accounts. Location and contacts data may also be accessible to police when they come knocking on WhatsApp's Mountain View doors.

But it's not easy finding out just how WhatsApp complies with law enforcement requests. Indeed, one of the biggest concerns around WhatsApp from a privacy perspective is its opacity, as frequently noted in the Electronic Frontier Foundation's assessments of which tech providers "have your back." Whilst owner Facebook does have a transparency report, released twice a year, it doesn't drill down into how many data requests relate to WhatsApp, let alone what kinds of information it can hand over. Similarly, Facebook has open law enforcement guidelines outlining how and when users' information can be retrieved, but WhatsApp does not and isn't mentioned in its parent's documentation. Another thing Facebook does (unless ordered not to) is inform a user when their account is being searched. It's unclear if WhatsApp does the same.

WhatsApp wouldn't offer specifics on how it works with law enforcement, other than to say it had channels for doing so. The company spokesman also wouldn't confirm or deny that it had ever handed message content to a global government, but reiterated it couldn't now do that as end-to-end encryption was fully deployed across its 1 billion users. He confirmed government data grabs were included in Facebook's transparency report, but wouldn't provide any specifics.

Pen trap orders

With almost zero revealing information coming from WhatsApp, I started looking through court filings and found a handful of examples of cases where it had provided information on customer accounts, both before and after the rollout of end-to-end encryption.

The more common kind of request - from the court documents that were available - ordered WhatsApp to install a pen register device. These can't scoop up content of communications but provide metadata that WhatsApp encryption doesn't keep private.

Hence one order (published below) sent to WhatsApp in May 2016, a month after the full rollout of end-to-end encryption was complete. The messenger giant was asked by an Ohio court to track numbers calling and messaging a suspect as part of an investigation into a cocaine and methamphetamine racket (government application linked). The date, time and duration of comms would be recorded, as would the numbers involved. It also demanded details on any SMS text messaging WhatsApp had access to. That pen register would last for 60 days.

WhatsApp was asked to do this work without any disclosure of the pen register to the suspected dealer. And it was told that if it didn't already have a "caller identification option or similar feature," it had to create one so law enforcement could more effectively track their targets. WhatsApp had not responded to a request for comment on how it dealt with that order, or how it manages pen register applications in general.

Other pen register orders from 2014 and 2015 across NewHampshire and Kansas asked for much the same, though they also required IP addresses and device identifiers be scooped up too.

Data direct from WhatsApp

Perhaps the most infamous case where WhatsApp provided data involved that of Mufid Elfghee, one of the first ISIS recruiters to be arrested on U.S. soil. He not only attempted to send men and money to ISIS in Syria, but also bought firearms in an FBI sting. Investigators suspected Elfghee was plotting to kill U.S. soldiers returning from Iraq as well as Shia Muslims, a sect ISIS has declared an enemy. Elfghee was sentenced to more than 22 years in prison in March 2016.

Amongst other platforms Elfghee used (like other ISIS operatives he was very active on Twitter) was WhatsApp. In July 2014, WhatsApp was served with a subpoena, to which it responded with data on three different numbers believed to have been used in Elfghee's machinations. The information included when the account was activated, when it was last opened, and data showing the apps accessed the address book and groups features on the associated mobile devices. In August 2014, FBI agents came back and asked WhatsApp for information including "identities and locations of persons, telephone numbers or accounts," court filings show. The warrant was executed soon after.

The language in the warrant indicated cops, even in 2014 before the crypto deployment, struggled to get any message content from WhatsApp. The FBI noted at the time that messages were not stored by WhatsApp, except when they were undelivered. Even then, the message would be deleted after 30 days if it remained undelivered.

Similar orders have been requested in Guam and the District of Colombia, but in the first case the government backed down for unexplained reasons, whilst in the latter the court denied the application for being too broad. The District of Colombia court noted the government failed to provide enough information on the nature of the case - a murder of a U.S. national abroad - or how the accounts were linked to the investigation. Your reporter could find no further evidence of updated requests.

Metadata mapping

Whilst WhatsApp might not provide full content of messages, the kind of metadata it provides is often enough to draw an informative map of a target's life, said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU). She noted that WhatsApp already shares contact information with Facebook where users haven't opted out, which they may provide to government. And the WhatsApp privacy policy notes that it does store some location and contacts information where users have opted to provide them.

"The best practise is to purge information," Guliani added. "When it comes to metadata, how often is WhatsApp purging this kind of information?" As a comparison, the Signal messaging app doesn't store any such metadata and therefore doesn't need to purge it. And whilst it openly admits contact numbers are shared with Signal servers, they're garbled by an encryption algorithm into what's known as a "hash" (though former developer Frederic Jacobs told me it's "trivial" to bruteforce those hashes, so if in the unlikely event a fake Signal server is set up to target a user, their contacts could be exposed).

Guliani had more questions for Facebook's firm: "Is WhatsApp responding to cases for location data? Are the warrants precise? Or is WhatsApp permitting [access to it] under a lower standard given the law is kind of spotty?"

WhatsApp had not provided comment on any of the above questions at the time of publication.

Huge Facebook requests

In stark contrast, what's apparent from publicly accessible court documents is that WhatsApp owner Facebook is frequently ordered to furnish law enforcement with a substantial amount of content.

Searching court records from December 2016 alone reveals numerous cases where police requested vast amounts of data. In New York, for instance, feds sought access to Facebook accounts of two women suspected of possession and importation of cocaine, demanding the company provide an incredible amount of information. That included: private messages, video call history, all uses of the 'Like' feature, all Facebook searches, privacy settings, Facebook passwords and security questions and answers, photos the suspects uploaded or were tagged in, logs of activities on the social networking site, and contacts, right down to rejected friend requests. Facebook hadn't responded to a request for comment on how it handled that warrant.

As revealed in its most recent transparency report, covering January to June 2016, Facebook fielded 23,854 requests for information from the U.S. government, more than 80 per cent of which it produced some data. Released just before Christmas, the report also noted that in those requests U.S. agencies sought information on 38,951 user accounts.

There's an odd disparity, then, between WhatsApp and Mark Zuckerberg's social media behemoth. Whilst WhatsApp won't share any of your private content - and can't share anything like what Facebook can and does open up - it's noticeably more secretive than its parent about how and when it works with feds.

Given they've been under the same roof since 2014's $19 billion acquisition, perhaps it's time to merge policies and furnish not just police with clear information, but users too.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist ...